Using .htaccess to Secure a Website

As promised, here are some .htaccess examples to help secure your web site. First off is preventing .php or other scripts from being run from within an ‘upload’ folder in the web space. You would expect images and in some cases, zip files or even Office type files. In order to block the script being run, add the .htaccess file into the directory in question, this file prevents .php files from being accessed:

<Files *.php>
   deny from all
</Files>

This one prevents .php, .pl, .cgi and .rb (for the Ruby enthusiasts)..

<FilesMatch "\.(php|pl|cgi|rb)$">
   deny from all
</FilesMatch>

Next up is to prevent access to the directory from any IP address but the ones you trust:

<Limit GET POST PUT>
 order deny,allow
 deny from all
 allow from 1.1.1.1                     # Use a single host
 allow from 192.168.0.0/16              # Use a CIDR slash notation
 allow from 172.16.0.0/255.255.0.0      # Use a netmask
 allow from 10.*.*.*                    # Use wildcards
</Limit>

Ive used various notations here for allowing the ip addresses.
The .htaccess files can do loads of great stuff, far too much to document here, but why not look on the Apache website here: http://httpd.apache.org/docs/2.2/howto/htaccess.html

This entry was posted in Apache, FreeBSD Administration and tagged , , , . Bookmark the permalink.

Leave a Reply